Tremulous Forum
Mods => Modding Center => Topic started by: Amanieu on June 07, 2008, 03:28:50 pm
-
A very serious bug has been found, which affects every single Tremulous server. I will not disclose any information about how to reproduce it. If you do know, please do not tell people about it, it will only make this situation worse.
For server owners:
Check to see if a newer version of the qvm you are using is available. Notify the authors if that has not been done yet.
For qvm makers:
Apply the following patch to your code and release a new version of your qvm immediately.
http://code.google.com/p/p-g-qvm/issues/detail?id=111
Thanks to Rezyn for the patch! :)
-
If your QVM doesn't have an update, use laks, its fixed and released.
-
Now let's go crash some servers! xD
-
1.1.0 vanilla servers are safe, although they already have a lot of bugs.
QVM Status:
PGQVM - Updated and has released an official version.
Amanieu's QVM - Updated and has released an official version.
�Lakitu7's QVM - Updated and has released an official version.
�TremWars QVM - Updated in the SVN and on the server.
�Equilibrium QVM - Updated and has released an official version.
Tremulous SVN - Updated and fixed from r1090 onwards.
Red denotes that it isn't fixed.
Green denotes it is fixed.
Links to fixed QVMs(You might be required to compile)
Just Download :
Lakitu7's Latest QVM (http://tremulous.net/forum/index.php?topic=8251.0)
PGQVM (http://tremulous.net/forum/index.php?topic=8312.0)
Required to compile:
Amanieu's QVM(Fixed in SVN) (http://code.google.com/p/tremulous-amanieu/)
TremWars QVM(Fixed in SVN) (http://code.google.com/p/tw-qvm/)
Now let's go crash some servers! xD
Seriously, don't.
-
Tremulous svn is also affected btw. I already submitted a bug report.
-
PGQVM updated. Download now featured
-
People using Lakitu's QVM and TremWars QVM, please update because a new exploit is found.
-
Lakitu7's qvm 5.21 still has the bug in another form. Must upgrade to 5.22.
-
5.22 posted. Everyone did rather jump the gun in assuming that the 5.21 I released last night was this bug rather than the bug it actually was. Oh well.
Amanieu needs to not release bugs so publically next time so things are not so frantic. The actual exploit was on public irc before anyone had fixes. That's no good.
Also Trem SVN needs someone to commit this.
-
And someone was running around to other servers crashing them intentionally...
-
i am confused what is the bug?!
-
It causes servers to crash. That's already more than should be "in the wild" about this, but since the cat was already let out of the bag that's as much as will be discussed in public :>
-
This bug seems to be a very big pain. I can only hope that all the trem servers will update IMMEDIATELY. This bug has allready caused enough trouble, and I don't want to see any more crashes because of it.
-
!!!GRIN!!!
what was this? :-) attack of the killer bees? sounded like if a bug would've set a granger free from the game :-D
-
The 'Unlimited BP' server will hopefully be up and running again soon, with a new QVM.
Thank you for your help.
-
doesnt work for me.....not for Mac OSX :'(
-
doesnt work for me.....not for Mac OSX :'(
This has absolutely nothing to do with what version of anything you are running. It affects QVM files, which are platform independent. If you are not running a public Tremulous server which runs a game.qvm other than the one that comes with it, this does not affect you. If you are only a player with a client, this does not affect you.
If you do run a server and are trying to apply this patch to qvm files that you compile yourself, this patch will not change whether or not it compiles. If you already have a working build environment, it will work. If not, it will not.
-
Equilibrium QVM 2.5 released. Contains bugfix patch. Note: previous versions do not contain the patch and as such are still susceptible to this bug.
-
All of the Knights of Reason servers are patched, including the tremx server. If you are running a custom qvm I made and need help, or a new one, let me know via a pm here or on my forums, and I will help you out.
-
I saw a person attempting to crash servers yesterday.
One of my admins wrote down his IP.
If you want it, ill pm you
-
I'd like it please. I don't want this jerk coming on my server(s).
-
Takhis.net was updated a few days ago, was the first thing i did when i heard of a exploit in the wild. :)
-
MxB private server fixed with the last paradox QVM.
Prolinux server will be fixed soon!
Thanks to all!
-
FWIW, I wouldn't announce servers that haven't been or will be patched. You'll just atract the party crashers. ;)
-
You mean the server crashers...
-
ok at least what is the error message and how do i pach
-
I will not disclose any information about how to reproduce it. If you do know, please do not tell people about it, it will only make this situation worse.
LOL SECURITY THROUGH OBSCURITY! Too bad this game is OpenSource. When you find a bug you tell everybody, then it gets fixed.
This was useful for buffer overflows mid-scrim :P
-
LOL SECURITY THROUGH OBSCURITY!
LOL CAN'T READ!
Please learn about the concept of "Security by Obscurity" so you can understand what it is your talking about.
-
Um, David, re-read that, let it sink in, and then you'll understand. The first post in this thread is about not telling others about the problem but just having QVM developers apply the path to their new releases. That would fall under a method of "security through obscurity" if he doesn't want others looking into the issue or knowing about it.
What should happen is "Hey guys, there's a buffer overflow problem that some kiddies have been exploiting, don't be ignorant of it, go to this bug page, read into how it happens and make sure you get a new QVM with it patched, inform your server's admins about it, and spread the word to other server admins, especially the new ones."
(Mr. Comma is my biah)
-
Nobody is trying to 'hide' anything.
Not screaming it from the roof tops != security through obscurity.
Its just good common sense.
Security through obscurity would be not telling anyone how the pure check works, or not giving out the source code.
What's happening here is called full disclosure, and if in keeping with the de facto standard way would be a lot lighter on detail.
-
His first couple sentences define security through obscurity.
-
I will not disclose any information about how to reproduce it. If you do know, please do not tell people about it, it will only make this situation worse.
There are already a few asshole going around crashing servers all over the place. Knowing the average maturity of the people in this forum, posting the instructions to reproduce the bug would cause total chaos. (Not to mention it is against the rules)
-
Average maturity being what...10?
-
Average maturity being what...10?
Maturity has nothing to do with age.
Scientists have managed to teach a gorilla 400 words, and communicate with it using sign language. Its IQ is around 80, which is below the average human, but not by much.
I would expect the average IQ in this forum to be around 50, worse than a gorilla.
-
I think the people who make the average IQ 50 are the ones in the "Crap!" thread.
-
I think the people who make the average IQ 50 are the ones in the "Crap!" thread.
like me and i was trying to find out how to crash servers is changing the qkey to be really long or what. if you tell people this bug want they crash the noob servers with people who don't know how to code or patch and leave all the good servers? and i will not benefit from this jugging how my server is still easily crashed by everyone
-
and i will not benefit from this jugging how my server is still easily crashed by everyone
There is a patch in the initial post, or you could use one of the many patched QVMs, or you could ask one of the QVM authors or server ops how to patch you server. IRC is your friend.
-
I think by this point, any QVM which is actually being updated has committed a fix for this, and the sticky can go bye-bye.
Actually, Lakitu7 thought it, and I happened to agree :P